renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info

renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2025-07-20 21:01:00 +07:00 · 2021-08-10 15:06:04 -04:00
parent 6376bbff80
commit 2aea74bd71
3 changed files with 0 additions and 0 deletions
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@ -0,0 +1,153 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
+
+## Check if grep matched something.
+if [ ! "$grep_result" = "" ]; then
+   ## Yes, grep matched.
+
+   ## Check if not out commented.
+   if ! echo "$grep_result" | grep -q "#" ; then
+      ## Not out commented indeed.
+
+      ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
+
+      if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then
+         console_allowed=true
+      fi
+      if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then
+         console_allowed=true
+      fi
+
+      if [ ! "$console_allowed" = "true" ]; then
+         echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2
+         echo "$0: To unlock, run the following command as superuser:" >&2
+         echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
+         echo "" >&2
+         echo "addgroup $PAM_USER console" >&2
+         echo "" >&2
+         echo "$0: However, possibly unlock procedure is required." >&2
+         echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
+         echo "$0: See also:" >&2
+         echo "https://www.whonix.org/wiki/root#console" >&2
+         echo "" >&2
+         exit 0
+      fi
+   fi
+fi
+
+## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
+
+if [ ! "$(id -u)" = "0" ]; then
+   ## as user "user"
+   ## /sbin/pam_tally2 -u user
+   ## pam_tally2: Error opening /var/log/tallylog for update: Permission denied
+   ## /sbin/pam_tally2: Authentication error
+   ##
+   ## xscreensaver runs as user "user", therefore pam_tally2 cannot function.
+   ## xscreensaver has its own failed login counter.
+   ##
+   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+   ##
+   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+   true "$0: not started as root, exiting."
+   exit 0
+fi
+
+## Does not work (yet) for login, pam_securetty runs before and aborts.
+## Also this should only run for login since securetty covers only login.
+# if [ "$PAM_USER" = "root" ]; then
+#    if [ -f /etc/securetty ]; then
+#       grep_result="$(grep "^[^#]" /etc/securetty)"
+#       if [ "$grep_result" = "" ]; then
+#          echo "$0: ERROR: Root login is disabled." >&2
+#          echo "$0: ERROR: This is because /etc/securetty is empty." >&2
+#          echo "$0: See also:" >&2
+#          echo "https://www.whonix.org/wiki/root#login" >&2
+#          echo "" >&2
+#          exit 0
+#       fi
+#    fi
+# fi
+
+## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
+pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true
+
+if [ "$pam_tally2_output" = "" ]; then
+   true "$0: no failed login"
+   exit 0
+fi
+
+## Example:
+#Login           Failures Latest failure     From
+#user                0
+
+pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
+## Example:
+#user                0
+
+arr=($pam_tally2_output_last_line)
+user_name="${arr[0]}"
+failed_login_counter="${arr[1]}"
+
+if [ ! "$PAM_USER" = "$user_name" ]; then
+   echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2
+   echo "$0: ERROR: Please report this bug." >&2
+   echo "" >&2
+   exit 0
+fi
+
+if [ "$failed_login_counter" = "0" ]; then
+   true "$0: INFO: Failed login counter is 0, ok."
+   exit 0
+fi
+
+deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
+## Example:
+#auth	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
+
+for word in $deny_line ; do
+   if echo "$word" | grep -q "deny=" ; then
+      deny="$(echo "$word" | cut -d "=" -f 2)"
+      break
+   fi
+done
+
+if [[ "$deny" == *[!0-9]* ]]; then
+   echo "$0: ERROR: deny is not numeric." >&2
+   echo "$0: ERROR: Please report this bug." >&2
+   echo "" >&2
+   exit 0
+fi
+
+remaining_attempts="$(( $deny - $failed_login_counter ))"
+
+if [ "$remaining_attempts" -le "0" ]; then
+   echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
+   echo "$0: To unlock, run the following command as superuser:" >&2
+   echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
+   echo "" >&2
+   echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
+   echo "" >&2
+   echo "$0: However, most likely unlock procedure is required." >&2
+   echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
+   echo "$0: See also:" >&2
+   echo "https://www.whonix.org/wiki/root#unlock" >&2
+   echo "" >&2
+   exit 0
+fi
+
+echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
+echo "$0: Login will be blocked after $deny attempts." >&2
+echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
+echo "" >&2
+
+if [ "$PAM_SERVICE" = "su" ]; then
+   echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
+   echo "" >&2
+fi
+
+exit 0